Insider Threat Management

The (Not So) Secret Intentions of the People Behind Insider Threats

Share with your network!

Do you want to know a secret?

Okay, here goes: not all insider threat incidents are caused by malicious, bad intentioned individuals commonly portrayed in pop-culture, by the press, or even cybersecurity companies. Insider threat incidents are costly, but sometimes they’re simply the outcome of privileged users taking one too many risks or not fully understanding a cybersecurity policy.

In hindsight, perhaps this isn’t so much of a secret. But in cybersecurity, intent matters! Particularly when you’re investigating or reconstructing an insider threat incident or trying to get ahead of less-than-ideal behavioural trends.

So how can you make the right moves to better understand your users’ intentions?

How to Better Understand User Intentions

Know Who Your Privileged Users Are

As you know, privileged users have access to your organisation’s most valuable systems, tools, and data. These privileged users are typically those working directly in your organisation, or 3rd party vendors.

In the event that these users intentionally or unintentionally leak or exfiltrate data, the results would be catastrophic, if not severely damaging to your organisation. This unfortunate reality is the basis for everything you read about insider threats, and why having an insider threat management solution is important.

The thought is that if you know who and what your privileged users are up to, you can avoid, if not proactively identify, insider threat related incidents and behavioural trends.

Deploy the Right Tools

To defend your organisation from becoming another insider threat incident victim, you’ll want to find a user-centric tool that helps you:

  1. Monitor user activity, while maintaining an individual’s privacy
  2. Keep a finger on the pulse of potential insider threats, but also be capable of proactively educating them on policy in the moment
  3. Be able to deep dive into rich analytics and data to quickly investigate and reconstruct incidents as they occur (and get results – fast!)

It also helps if said tool can get you up and running with a robust library of built-in threat definitions, and minor configuration, in as little as 30 minutes. (Something like Proofpoint ITM, perhaps?)

What often gets forgotten, however, is that while it is important to know what your users are up to, it is also important to understand and respect their overall intent: to do their jobs as quickly and efficiently as possible. That’s not something that DLP is particularly well-known for.

Listen: Form Follows Function

The phrase “form follows function” may have its roots in architecture and industrial design, but it also has applications in insider threat management.

The cybersecurity tools you implement within your organisation should not create unnecessary barriers for your users to fulfill their duties! If your solution impedes or slows down the performance of your users, or their systems, you may be inadvertently increasing risk of a security incident.

The more difficult it is to do work, the more likely workarounds (or exploits) will be found. Users will always try to go about their business via the most direct route, without much thought. That’s a problem!

In fact, in a recent report put together by The Ponemon Institute, confirms that “the careless employee or contractor was the root cause of 2,101 of the 3,269 (insider threat) incidents reported.” Averaged out, that means 64% of reported insider threat incidents were unintentionally caused by privileged users!

Key Takeaways on User Intent and Insider Threats

Thanks to the onslaught of insider threat related incidents in the news, there is no denying that the risk and cost associated with insider threats is nothing to brush off. The threat is real, and security teams must adapt to keep privileged systems and data safe.

By working to understand the intent of privileged users, while utilising the right insider threat management tools, teams can learn how to spot less-than-ideal user activity trends to either stop nefarious actions or educate careless users in the right practices.

They can better:

  1. Understand what your users know, and don’t know about policies
  2. Determine whether policies are bottlenecking users inappropriately
  3. Know when to improve policy communications and standards


Learn how Proofpoint’s insider threat management solution helps your organisation better understand user intentions and stop insider threats in their tracks.